NIST Cybersecurity Framework version 1.1

AWS Audit Manager provides a prebuilt framework that structures and automates assessments for the NIST Cybersecurity Framework, based on AWS best practices.

Note

• For information about the Audit Manager framework that supports NIST 800-53 (Rev. 5) Low-Moderate-High, see NIST 800-53 (Rev. 5) Low-Moderate-High.

• For information about the Audit Manager framework that supports NIST SP 800-171 (Rev. 2), see NIST SP 800-171 (Rev. 2).

What is the NIST Cybersecurity Framework?

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the oldest physical science laboratories in the United States. The U.S. Congress established the agency to improve what was at the time a second-rate measurement infrastructure. The infrastructure was a major challenge to U.S. industrial competitiveness, having lagged behind other economic powers like the U.K. and Germany.

The United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and interconnectedness of critical infrastructure systems. They put the security, economy, and public safety and health of the United States at risk. Similar to financial and reputational risks, cybersecurity risk affects a company’s bottom line. It can drive up costs and affect revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. Ultimately, cybersecurity can amplify the overall risk management of an organization.

The NIST Cybersecurity Framework (CSF) is supported by governments and industries worldwide as a recommended baseline for use by any organization, regardless of sector or size. The NIST Cybersecurity Framework consists of three primary components: the framework core, the profiles, and the implementation tiers. The framework core contains desired cybersecurity activities and outcomes organized into 23 categories that cover the breadth of cybersecurity objectives for an organization. The profiles contain an organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources using the desired outcomes of the framework core. The implementation tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework core.

Using this framework to support your audit preparation

You can use the NIST Cybersecurity Framework version 1.1 to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to NIST CSF requirements. Audit Manager currently supports the framework core component by offering 56 automated controls and 52 manual controls. These controls are matched to 23 cybersecurity categories that are defined in the framework core. Audit Manager doesn't support the profile and implementation components in this framework.

You can also customize this framework and its controls to support internal audits with specific requirements.

Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the NIST Cybersecurity Framework version 1.1. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.

The details for NIST Cybersecurity Framework version 1.1 are as follows:

Framework name in AWS Audit Manager	Number of automated controls	Number of manual controls	Number of control sets	AWS services in scope
NIST Cybersecurity Framework version 1.1	56	52	23	AWS Config AWS Identity and Access Management AWS Security Hub

Tip

To review the AWS Config rules that are used as data source mappings in this standard framework, download the AuditManager_ConfigDataSourceMappings_NIST-CSF-v1.1.zip file.

The controls that are offered by Audit Manager aren't intended to verify if your systems are compliant with the NIST Cybersecurity Framework. Moreover, they can't guarantee that you'll pass a NIST Cybersecurity audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.

You can find this framework under the Standard frameworks tab of the Framework library in Audit Manager.

For instructions on how to create an assessment using this framework, see Creating an assessment.

When you use the Audit Manager console to create an assessment from this standard framework, the list of AWS services in scope is selected by default and can’t be edited. This is because Audit Manager automatically maps and selects the data sources and services for you. This selection is made according to the requirements of the NIST Cybersecurity Framework version 1.1 framework. If you need to edit the list of services in scope for this framework, you can do so by using the CreateAssessment or UpdateAssessment API operations. Alternatively, you can customize the standard framework and then create an assessment from the custom framework.

For instructions on how to customize this framework to support your specific requirements, see Customizing an existing framework and Customizing an existing control.

More NIST resources

• National Institute of Standards and Technology (NIST)

• NIST Computer Security Resource Center

• AWS Compliance page for NIST

• NIST Cybersecurity Framework - Aligning to the NIST CSF in the AWS Cloud